Merge branch 'main' into main

rallumalla · web-flow · commit 3ab8c997fc62 · 2025-09-25T12:54:43.000+05:30
diff --git a/defender-endpoint/linux-whatsnew.md b/defender-endpoint/linux-whatsnew.md
@@ -92,7 +92,6 @@ What's new
 - The `mdatp threat quarantine add` command now requires superuser (root) privileges.
 - Custom definition path can now be updated without stopping Defender for Endpoint. Previously, this required stopping the service, but with this release onwards, updates to the definition path can be made dynamically, improving operational efficiency and reducing downtime.
 - Running Defender for Endpoint on Linux alongside Fapolicyd is now supported on RHEL and Fedora-based distributions, enabling both antivirus (real-time protection) and EDR functionality to operate without conflict. For other fanotify-based tools, MDE can still be used safely by setting the antivirus enforcement level to passive, helping avoid system instability.
-- Both the binary and Python versions of Client Analyzer are now included in the local package. There is no longer a need to download it separately, as it comes bundled by default. You can find it at the location `/opt/microsoft/mdatp/conf/client_analyzer/`.
 - Other stability enhancements and bug fixes.
 
 ### July-2025 Build: 101.25052.0007 | Release version: 30.125052.0007.0
diff --git a/defender-endpoint/microsoft-defender-passive-mode.md b/defender-endpoint/microsoft-defender-passive-mode.md
@@ -26,8 +26,6 @@ Some of the key benefits of Defender Antivirus in passive mode are:
 
 * **EDR Block mode** - Post-breach protection by detecting and remediating threats missed by the active antimalware solution
 
-* **Data Loss Prevention (DLP)** - Endpoint DLP functionalities operate normally, ensuring sensitive data is safeguarded.
-
 * **Security intelligence updates** - Microsoft Defender Antivirus continues to receive updates to stay aware of the latest threats.
 
 * **Data Loss Prevention (DLP)** - Endpoint DLP functionalities operate normally, ensuring sensitive data is safeguarded.
diff --git a/defender-endpoint/respond-machine-alerts.md b/defender-endpoint/respond-machine-alerts.md
@@ -103,19 +103,19 @@ Or, use this alternate procedure:
 
    ![Image of collect investigation package](media/collect-investigation-package.png)
    
-2. Add comments and then select **Confirm**.
+1. Add comments and then select **Confirm**.
 
    ![Image of confirm comment](media/comments-confirm.png)
    
-3. Select **Action center** from the response actions section of the device page.
+1. Select **Action center** from the response actions section of the device page.
 
    ![Image of action center](media/action-center-selected.png)
    
-4. Select **Package collection package available** to download the collection package.
+1. Select **Package collection package available** to download the collection package.
 
    ![Image of download package](media/download-package.png)
-
-   > [!NOTE]
+   
+      > [!NOTE]
    > The collection of the investigation package may fail if a device has a low battery level or is on a metered connection.
    
 ### Investigation package contents for Windows devices
@@ -216,7 +216,8 @@ Depending on the severity of the attack and the sensitivity of the device, you m
 - You can use the device isolation capability on all supported Microsoft Defender for Endpoint on Linux listed in [System requirements](mde-linux-prerequisites.md). Ensure that the following prerequisites are enabled:
    - `iptables`
    - `ip6tables`
-   - Linux kernel with `CONFIG_NETFILTER`, `CONFID_IP_NF_IPTABLES`, and `CONFIG_IP_NF_MATCH_OWNER`
+   - Linux kernel with `CONFIG_NETFILTER`, `CONFIG_IP_NF_IPTABLES`, and `CONFIG_IP_NF_MATCH_OWNER` for kernel version lower than 5.x and `CONFIG_NETFILTER_XT_MATCH_OWNER` from 5.x kernel.
+    
 - Selective isolation is available for devices running on Windows 11, Windows 10 version 1703 or later, Windows Server 2012 R2 and later, Azure Stack HCI OS, version 23H2 and later, and macOS. For more information about selective isolation, see [Isolation exclusions](./isolation-exclusions.md).
 - When isolating a device, only certain processes and destinations are allowed. Therefore, devices that are behind a full VPN tunnel won't be able to reach the Microsoft Defender for Endpoint cloud service after the device is isolated. We recommend using a split-tunneling VPN for Microsoft Defender for Endpoint and Microsoft Defender Antivirus cloud-based protection-related traffic.
 - The feature supports VPN connection.
diff --git a/defender-office-365/mdo-email-entity-page.md b/defender-office-365/mdo-email-entity-page.md
@@ -476,6 +476,8 @@ The following actions are available at the top of the Email entity page:
 
     > [!TIP]
     > **Download email** isn't available for messages that were quarantined. Instead, [download a password protected copy of the message from quarantine](quarantine-admin-manage-messages-files.md#download-email-from-quarantine).
+    >
+    > **Email preview** and **Download email** actions are available in **Audit Logs** and **CloudAppEvents** table of Advanced Hunting (Record type 38) for auditing and reporting.
 
 ¹ The **Email preview** and **Download email** actions require the **Preview** role. You can assign this role in the following locations:
 
diff --git a/defender-vulnerability-management/fixed-reported-inaccuracies.md b/defender-vulnerability-management/fixed-reported-inaccuracies.md
@@ -39,6 +39,7 @@ The following tables present the relevant vulnerability information organized by
 |---|---|---|
 | - | Added MDVM support for Zoom vulnerability- CVE-2025-49457 | 03-September-25 |
 | - | Added MDVM support for 8 Tableau Server vulnerabilities- CVE-2025-52446, CVE-2025-52447, CVE-2025-52448, CVE-2025-52449, CVE-2025-52452, CVE-2025-52453, CVE-2025-52454 and CVE-2025-52455 | 09-September-25 |
+| - | Defender Vulnerability Management has completely rolled back support for Microsoft Visual C++ | 18-September-25 |
 
 ## August 2025
 
@@ -52,7 +53,6 @@ The following tables present the relevant vulnerability information organized by
 | 103856 | Fixed bad normalization in McAfee Network Security Manager | 05-August-25 |
 | 109441 | Fixed bad normalization in AlmaLinux Perl | 05-August-25 |
 | 97670 | Fixed inaccurate detections of VMware Tools by excluding invalid paths - "/vmware blast/", "/remote experience/" | 19-August-25 |
-| - | Added MDVM support for Microsoft Visual C++ vulnerabilities- CVE-2009-0901, CVE-2009-2493, CVE-2010-3190, CVE-2024-43590 | 20-August-25 |
 | 112007 | Fixed inaccuracy in Gimp vulnerability- CVE-2025-8672 | 21-August-25 |
 | 109858 | Fixed inaccuracy in Microsoft SQL Server Management Studio vulnerability- CVE-2025-29803 | 21-August-25 |
 | - | Updated CPE detection logic for Cisco Identity Services Engine | 26-August-25 |
